Welcome to our webinar. Today, we're going to talk about CIAM and the tie-in with our new tool, KC OpenSelect. I'm John Tolbert, Director of Cybersecurity Research here at KuppingerCole, and welcome. So some logistics info. Everyone's muted centrally. There's no need to mute or unmute yourself. We're going to do a couple of polls a little past midway through on this, and hope everyone will participate. I'll take questions. There's a questions blank in the CMIT control panel. Feel free to enter those, and I'll talk to those at the end.
And then the recording and slides you see here today will be available in a few days. So first up, I'll give an overview of CIAM, including some of the trends and what we've seen in our latest research. We'll look at the evaluation criteria used for doing leadership compasses and now OpenSelect as well. And we'll talk about the methodology, the categories that we rate, and then give you a preview of what OpenSelect looks like. So first up, what does the C in CIAM stand for? We often hear it called customer IAM. Sometimes we'll call it consumer IAM.
Really, it's all of those plus citizen. So on the consumer side, we see use cases, you know, as you might expect around online banking, retail, e-commerce, media, subscription accounts, things like that. But we also see, you know, business-to-business customer kinds of relationships for, you know, different members of a supply chain, logistics. So businesses are using CIAM quite extensively these days, too. But then there's also governments interacting with citizens using CIAM solutions, you know, maybe to register and pay their taxes online.
Or to apply for or renew different kinds of licenses online. So all these different kinds of use cases fit into the broad spectrum of consumer, customer, citizen, CIAM. So when organizations are looking for CIAM solutions, they have a number of different reasons. They might be, you know, trying to find something. Maybe they want to replace an existing CIAM solution that, you know, isn't really doing everything that they need it to do. They need to be able to offer new and different forms of self-registration for, let's say, consumers to register.
They need to be able to host the consumer profiles or customer profiles, you know, which can need to contain more kinds of information than you might commonly be able to put into a regular IAM LDAP kind of database. Ultimately, the goals usually are to convert unknown users to known users and be able to collect consent for regulatory compliance. We'll talk more about regulatory compliance, especially privacy regulations.
But, you know, there have been more privacy regulations enacted in various places around the world. And it can make it difficult for an organization that operates in multiple jurisdictions to comply with those. But fortunately, a lot of CIAM solutions have those kinds of options built into them today.
So, you know, in order to turn an unknown user into a known user, that means collecting information about them with consent, of course, where applicable. But, you know, organizations want to do this to be able to get marketing analytics and tie it into their marketing automation systems, ultimately in the cases of consumer-facing organizations or B2B relationships to increase revenue. On the security side, many organizations find they need to offer better and stronger authentication for a variety of different reasons, different security risks. We need better account recovery mechanisms often.
That's a motivation because if you're just doing passwords and password resets, that can be not only expensive in terms of organizational costs, but if a user can't recover their account because it's infrequently used, then it's potentially a lost business. So account recovery is very key for most organizations that are looking for CIAM. And then closely related to that, identity analytics for the purposes of security.
Again, kind of making sure it's the right user. So when we talk to organizations that have implemented or are looking to implement or update their CIAM, some of the things that we hear about are the problems that they have encountered, and those are things like not enough API exposure. Most organizations want to integrate their CIAM with a variety of other systems, maybe their workforce IAM or light and business applications, and earlier generation products did not make that as easy as they do today.
Most are much better at allowing customers to either have prebuilt connectors or really good API connectivity such that they can make those connections themselves. Historically, there was lack of support for legacy applications. Identity and marketing analytics were built into the CIAM system. Most organizations today wouldn't be able to get that information out of it to prevent CIAM from becoming a silo. Early gen products were typically on-premises hosted, which can be more difficult to scale because you've got to buy hardware, you've got to have people to run it.
So cloud-based solutions have really taken off over the last five or 10 years, and we see a lot of preference for cloud-delivered CIAM solutions to address the scalability problems. A few other things that early gen CIAM solutions did not do as well at, and that was offering stronger kinds of authentication. It was mostly just password, insufficient consent collection, consent notice, difficult for users to be able to manage their consents, revoke them.
But since GDPR and other subsequent regulations have come along, most of the CIAM vendors have built this kind of functionality in to make it easier for organizations to do that, and it makes it easier for them then to comply with those different kinds of regulations. There's also been a bit of innovation in licensing subscription cost models with more CIAM vendors moving to a pretty straightforward monthly active user kind of cost structure. As you know, there has been an awful lot of cybercrime and a lot of fraud.
It has been increasing, unfortunately, a lot of innovation in cybercrime, which is sad to say. But the two major kinds of fraud that we see consumer and customer-facing sites dealing with are ATO, or account takeover fraud, and AO, or account opening fraud.
ATO, just what it sounds like, having your account taken over. The methods used can be things like breached passwords, looking at password dumps on the dark web, credential stuffing attacks, bot perpetrated. Just brute force password guessing still works in some cases, unfortunately. These are used for draining victims' accounts of money or any other value that may be stored there. On the account opening side, it's often used to create mule accounts or accounts where even larger amounts of money can be moved, opening up lines of credit, for example.
And the hackers do this by getting PII about a victim, maybe from schoolwork, health records, and then building an account that looks like a real person and then using it to apply for a line of credit, for example. The major mitigations here for account takeover, multi-factor authentication, risk-based authentication, greatly help reduce the incidence of account takeover fraud, especially in conjunction with fraud reduction intelligence platforms.
And on the AO or account opening side, some of the best mitigations around identity proofing, increasing the identity assurance level so that the right person really makes the account and the others are denied. So some of the new things we've seen in the last couple of years is, as you might expect, you know, digital transformation was really driven hard during the pandemic.
You know, all businesses, even the ones that didn't have strong online components, had to have them in order to stay in business and compete. As I mentioned, fraud is just skyrocketing. Every consumer-facing site has to have some sort of fraud prevention technology these days. There's a need for identity proofing, again, as fraud reduction method. We see some CIM solutions that are offering this directly, and many are now offering API connectors to a third part of the identity proofing services.
The privacy regulation compliance, more laws, more complexity, businesses and organizations need the help of CIM solution providers in being able to meet those regulatory requirements. There are now passwordless authentication options that make it a lot easier for consumers to log in, much, you know, less painful, and also increase usability and security.
There's a need for integrating and interoperating using those APIs, so standards-based APIs, you know, REST, Webhooks, GraphQL, we see more and different kinds of functions that are exposed through APIs for integration with, you know, different kinds of on-premises or cloud-based applications. IoT device identity, many manufacturers and stores will want to be able to allow their consumers to control or associate their purchase devices with a known and trusted digital identity, so IoT device identity management is a very important consideration in CIM today.
And then lastly here, you know, B2B is increasing. B2B customer relationships are, in most cases, very well handled by CIM solutions that are out there today, and in fact, vendors report that B2B and B2B2C kinds of use cases are driving some of the most growth in uptake in CIM.
So, we did a round of research on CIM, and what we found were, you know, a number of different improvements, but the evaluation criteria that I used to rate them are onboarding, and by onboarding, I mean how easy is it for a consumer or customer to get into, you know, a deploying organization's systems? To register, can you do customization of the workflows? Is there identity proofing that can be built into that?
You know, we've seen an increase in the use of, like, remote mobile document verification apps that are, you know, facilitating easier onboarding and bringing additional identity assurance, identity assurance itself, you know, increasing the identity assurance level to what customers feel is appropriate for their particular business cases. ATO protection, again, I think this is so key. It deserved to be called out as a special line item in the report. What facilities does a CIM solution have within it to be able to help protect the accounts of their customers?
Authentication, this is a measure of, you know, what kinds of authentication methods are possible within the solution. Does it offer passwordless, risk-based, and is it easy for the customer or deploying organization to configure? Consent management, this measures, you know, does it do everything you would expect it to do for, like, GDPR consent collection, including, you know, presenting a user with a screen to review and revoke consent if they no longer choose to do business or share information with an organization.
Some often will put in data subject to access request facilities within the consent management platform in the CIM system. IoT device management, what is possible for IoT device management in the solution that we're looking at, and we'll show you some examples in a minute. Identity analytics, you know, again, this can be very, very helpful for security.
And then, lastly, marketing integration. You know, earlier, Jen, CIM solutions tried to present a lot of the marketing information directly within the CIM solution, but most customers want to, you know, be able to get that information out and into other data analytics platforms they use today.
So, marketing integration covers not only API connectivity, but, you know, how many pre-built connectors are there that make it easy for a deploying organization to connect their CIM to whatever data analytics marketing automation kind of tool that they've got? So, let's look at our processes and how we go about doing our research. First of all, we will identify all the vendors in the field, get briefings, demonstrations. We send out, you know, massive technical questionnaires and get them to answer questions. We get all this information back. We analyze it. We rate them. We write about them.
Then we send that out for fact check, get updates if needed. And then once it's all clear, then we publish on kubernickle.com. And now we will also be doing this in OpenSelect, which you'll see in just a moment. In addition to those special categories for CIM I just talked about, we also look at nine standard categories.
Security, this is about how secure is the product itself. Functionality, does the product do everything that we expect it to do? Does it have all the right features? Deployment, you know, is this only for the cloud? Can it be run on-prem?
Is it, you know, fully managed SaaS? And then how easy is it to deploy? And what level of effort is needed to maintain it? Interoperability, this is really where standards are key. There are many different identity standards for, you know, how accounts are stored, how they communicate, how you authenticate, how you can be authorized. And support for standards is very important for interoperability. And then usability, you know, how easy is it not only for the end user or the consumer or customer or citizen, but what's it like for the admin, the deploying organization?
Is it easy and intuitive for them to manage? Then we also look at innovation, you know, does the product deliver what we expect it to? Is it leading edge or a little bit behind?
Market, you know, how many customers, how geographically distributed are they? What's their, what regions of the world are they operating in? Ecosystem is really about how does a customer organization find support? Do they have, you know, resellers or system integrators and how well distributed around the world are they? And then lastly, we will look at, you know, any relevant company from startup to, you know, massive public company. And we try to explain what their overall financial strength is in the financial strength rating. So let's do a couple of quick poll questions here.
Which of the following, if you're looking for CIM, has been a main motivation for you and your organization? Is it improving the customer or consumer experience? Improving security? Enhancing your marketing opportunities? Or increasing revenue?
Great, we see the results here in real time. Excellent. So more than half say improving the customer experience. That's great. That is an important consideration.
Okay, let's move to poll number two. What's the biggest obstacle your organization faces in deploying or upgrading CIM? Would you say it's budget, business versus IT alignment on goals, integrating with the apps that you've got, or scalability or difficulty in managing CIM, and lack of or lack of customizability and API integration? This time we see budget versus, or business versus IT alignment on goals as the top concern.
Okay, so now let's look at how, what KC OpenSelect is like. And you can use this new tool to view the results of the leadership compass and subsequent research. So quick word about KC OpenSelect. Like I said, it's our new tool. It's free for everyone to use. The motivation behind it is to be able to help organizations come in, sort of look at their own use cases, the things that they think are most important, and sort of customize the rating and help you make, you know, better decisions on where you might, what products you might want to look at when you're doing an RFP.
It certainly can't give you the full guidance on selecting a product, but it's a great starting point for doing that. So in this leadership compass for CIM, I won't read off all these vendors, but there's probably a lot of names you recognize, and maybe some that you don't. Each time we run the report, you know, every year, year and a half or so, we find that not only are the overall numbers of customers that these organizations have increasing, but there are more companies that are getting into CIM because it is, you know, a really rapidly growing field.
So when you first get into OpenSelect and you drill into CIM, you'll find, you know, an overview, a little bit like maybe what we've discussed today. And from here, you know, you can navigate to, you know, finding out more about how it works. You can get into and see the different vendors that I mentioned.
And here, you know, as an example, you can see how they're rated across those standard categories, like deployment functionality, as well as each individual vendor's spider graph that shows the specific categories that I mentioned earlier about, you know, for CIM, you know, the identity assurance, ATO protection. Marketing integration, IoT device management, so you can see how they rate. Then you can also drill down into more details on each vendor, and you can build your own comparison table to look at which vendors, you know, you think might be most applicable. You can also sort by use cases.
You can also sort by use cases. We've listed, you know, a number of different use cases that we find are important to different organizations that these vendors support. You can read about those. Then you can also down select and rate or see what the ratings are for each company by that in another comparison table. You can get information about what you should be thinking about when you're going out to do an RFP for CIM. What are the internal considerations, you know, beyond technical, as well as getting, you know, the list of technical questions, too.
And here are some questions that you might want to ask as you start an acquisition process for a CIM solution. And then you can also read the full documents and related documents on our website under kubingercole.com slash research. So let's see, do we have any questions?
Okay, first question. Is there a real adoption on passwordless in CIM space? There are lots of opportunities in terms of, you know, products that support different passwordless authentication mechanisms.
I think, you know, as we can see in our day-to-day experience, there are not nearly as many deploying organizations that are taking advantage of the passwordless authentications capabilities that are there. But, yeah, I would say, you know, take a look at OpenSelect or read the leadership compass. You can see exactly which vendors support passwordless authentication.
Plus, we did a passwordless authentication leadership compass back, I think, it published in January. And that's also available in KC OpenSelect. So you can see which vendors support that today. Self-service account and profile management in the evaluation criteria. That is in the evaluation criteria.
I mean, I just did not roll it up to, you know, one of the major, you know, eight categories this time. But there is text in the document that describes what the self-service account management is like so that it's, you can have an idea by reading through either the report or checking it out online on KC OpenSelect.
So, I don't see any further questions at the moment. So thanks, everyone, for attending.
And, yeah, please feel free to check out KC OpenSelect for not only what you see here in CIM, but also in other areas as well. And we will be bringing additional topics to KC OpenSelect in the weeks ahead. So I encourage you to do that. And if you have any questions, other questions, feel free to reach out. Thank you.
